cbcvebase.
CVE-2013-3918
published 2013-11-12

CVE-2013-3918: The InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows…

PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
73.87%
99.4th percentile
The InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted web page that is accessed by Internet Explorer, as exploited in the wild in November 2013, aka "InformationCardSigninHelper Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

filenameicardie.dll
otherCLSID: {19916E01-B44E-4E31-94A4-4696DF46157B}
otherActiveX method: requiredClaims
bytes
\x64\xa1\x18\x00\x00\x00\x83\xC0\x08\x8b\x20\x81\xC4\x30\xF8\xFF\xFF
  • Detect exploitation attempts by monitoring for instantiation of the InformationCardSigninHelper ActiveX control (CLSID {19916E01-B44E-4E31-94A4-4696DF46157B}) via Internet Explorer, particularly calls to the 'requiredClaims' method.
  • Monitor for VBScript patterns that call .remove() on an empty CardSpaceClaimCollection object in a loop to trigger integer underflow, followed by .add() — a hallmark of the in-the-wild exploit technique.
  • Look for heap-spray patterns in VBScript creating large arrays of HTML OBJECT elements (~5493 elements) with deliberate holes (nulling every other element starting at index 4093), consistent with the in-the-wild exploitation technique.
  • Set a kill bit for CLSID {19916E01-B44E-4E31-94A4-4696DF46157B} (icardie.dll InformationCardSigninHelper) to prevent instantiation; monitor registry for its removal as an indicator of tampering.
  • Monitor icardie.dll for the underflow instruction at offset CCardSpaceClaimCollection::remove+0xa0 (opcode ff 4e 08 — dec dword ptr [esi+8]) being hit with a zero-length collection as a breakpoint/EDR telemetry signal.
  • ·The Metasploit module targets specifically Windows XP with IE 8 (x86); the ROP gadget addresses (0x77c20433, 0x77c15ed5) are hardcoded for msvcrt on that platform and will not apply to other OS/IE versions.
  • ·The vulnerability affects a broad range of Windows versions (XP through RT 8.1); detection rules scoped only to XP/IE8 will miss exploitation attempts on newer platforms.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.